This article is part of our collection on Cyber Security
What can law firms and accountants do to avoid opening themselves up to being defrauded?
Last updated: 27 Nov 2020 6 min read
The Solicitors Regulation Authority (SRA) has recorded no fewer than 73 different types of scam targeting UK lawyers in the three months from June to August 2017 – the highest quarterly number since the SRA began monitoring such activity nearly six years ago.
“Professional services are extremely attractive targets for fraudsters,” says the Law Society’s Graham Murphy, project manager for its Conveyancing Quality Scheme. “They store a huge amount of data and transfer a vast amount of money. The average conveyancing in the UK is £230,000. No wonder fraudsters take such an interest.”
But thousands of lawyers and accountants leave themselves vulnerable. One Big Four accountant made headlines in September by admitting that not only had it been hacked, but it had taken a full six months for the firm to notice.
“We cannot stop the criminals trying,” adds Murphy. “But we don’t need to make it easy.”
Murphy recalls an alarming story about sharing a Eurostar carriage earlier this year with two strangers who, it emerged from their shockingly indiscreet phone calls, were lawyers completing a £100m conveyance. Within 15 minutes he knew all the details: “And then they popped to the buffet and left an unlocked laptop and printed emails unattended for eight minutes! Of course I didn’t do anything, but next time the person sitting opposite might not be as nice as me.”
If that sounds like a rare example of extreme, wanton carelessness, it is. But professionals’ legendary meticulous eye for detail often fails to extend to their own security. In 2015 one law firm followed a client’s emailed instructions to change her bank account details for a £400,000 transfer – to later discover they had sent the money to a conman.
Cases such as this can be averted by “cross-checking, calling the client back or simply being vigilant”, according to Peter Wright, lawyer, cyber-security expert and founder of Digital Law UK, which gives technological security advice to solicitors. “Human error is very often responsible.”
But there are other ways a practice can greatly minimise the risk of being targeted.
Wright says: “Many frauds are perpetrated by someone who can get past an easy password into the server and then impersonates the firm to clients, or impersonates a senior manager on the internal email system to get payment details changed. This is the one to be most scared about, because people think ‘no one’s bothered about my little firm’. Well, they are.”
“Three hundred years ago a crook might rob you with a pistol and a horse. Now it’s a computer and your password”Graham Murphy, Conveyancing Quality Scheme project manager, the Law Society
So make your passwords less obvious, or put in double, even triple levels of security. When emailing files, encrypt them – and if a client or other firm apparently contacts you asking for a change in payment details, call them back from another phone to double check. “It is obvious,” says Murphy, “but people just don’t do it.”
Law and accountancy firms are more susceptible to viruses than almost any other sector. Why? “Acquisitions and mergers,” says Wright, “You often acquire practices with older, unsupported versions of Windows. Or perhaps you bought a pricey case management system five/six years ago that actually only works with older versions of Excel so you don’t want to update your system.”
But that’s the price of security – and it’s worth it. In 2016 the WannaCry and NotPetya viruses took down hundreds of thousands of computers in over 100 countries in a few hours – including, famously, the NHS – because these organisations ran unsupported systems.
“And it’s not just the lockdown itself and potential ransom to pay – it’s the ongoing time cost,” says Wright. “You won’t necessarily recover all editable Word documents, you might just get back your PDFs – which means you’ll spend weeks keying in that data again. Viruses bring down everything in their path that isn’t protected – so make sure you are.”
Arguably, this is the most direct, immediate threat. You don’t want to believe your staff are conning you or your clients, but it does happen – with cataclysmic results.
“Staff can use information for financial gain or to help them to a job elsewhere,” warns Murphy. “But completely innocent staff can also let in a fraudster by sending out the wrong report, attaching the wrong file to an email, maybe picking up papers to send to a client and accidentally scooping some information from another case. Make sure staff are recruited, trained and supervised properly.”
“Too much information is needlessly visible,” says Wright. “It’s basic – lock your screen and secure papers if leaving your desk. Have individual passwords and don’t share them – even in a really small office. You may well trust everyone, but what about the guy who comes to fix the photocopier, or the cleaner? I’ve known at least one case where a criminal stole information by looking through a window.”
“You need a way of working that ensures everyone follows the rules,” says Murphy, “but also an open, transparent environment where people feel they can immediately be honest if they have made a mistake so it can be rectified. A lot of deceit comes from trying to cover up what was initially an honest mistake.”
The main fraud threats tend to depend on the size of the practice. “Smaller firms are more vulnerable to hackers because it’s potentially a relaxed atmosphere, people share caseloads, know each other’s passwords, which then access the files of the entire client base,” says Wright. “Larger firms, on the other hand, are more susceptible to hackers because their computer systems have vulnerabilities they weren’t aware of. The big firms check staff stringently, may have key-fob building access, but don’t see their operating system has a big weakness in it.”
Sadly, the threat is here to stay. “Three hundred years ago a crook might rob you with a pistol and a horse,” says Murphy. “Forty years ago it was a shotgun and a Ford Granada. Now it’s a computer and your password. The tools change, but the criminal doesn’t. All you can be is prepared. And if it is difficult to get into your system, it’s like having a burglar alarm on your house – the crook is more likely to look for lower hanging fruit.”
Wright agrees. “There’s no quick fix, because you need to stay a step ahead. But educate your staff. That doesn’t mean them glazing over during a lunchtime PowerPoint session; it means embedding this culture in the organisation.”
Cyber Security, Leadership and Management, Professional Services